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DEFENSE  CONTRACT  AUDIT  AGENCY 

Additional  Guidance  Needed  Regarding  DCAA’s  Use 
of  Companies’  Internal  Audit  Reports 


Why  GAO  Did  This  Study 

DCAA  audits  play  a  critical  role  in 
oversight  of  companies  that  provide 
goods  and  services  to  the  Department 
of  Defense.  These  defense  companies 
also  conduct  their  own  internal  audits. 
Section  832  of  the  NDAA  for  Fiscal 
Year2013  (Pub.  L.  No. 112-239) 
required  DCAA,  among  other  things, 
to  revise  its  audit  guidance  on 
documenting  its  requests  for  defense 
contractors’  internal  audit  reports  and 
ensuring  the  reports  are  used  only  for 
evaluating  and  testing  the  strength  of 
internal  audit  controls. 

The  act  required  GAO  to  assess  the 
revised  guidance.  This  report  assesses 
the  extent  to  which  DCAA’s  revised 
guidance  (1 )  complied  with  the  act, 
and  whether  selected  requests  for 
company  internal  audit  reports  were 
documented  in  accordance  with 
requirements,  and  (2)  contains 
safeguards  to  help  ensure  that 
companies’  internal  audit  reports  are 
used  only  for  authorized  purposes. 
GAO  compared  DCAA’s  revised 
guidance  to  the  provisions  of  the  act 
and  examined  a  nongeneralizable, 
random  sample  of  eight  recent  DCAA 
requests  for  companies’  internal  audits. 

What  GAO  Recommends 

GAO  recommends  that  DCAA  clarify 
its  guidance  and  establish  and  monitor 
internal  controls  to  help  ensure  that 
requests  for  company  internal  audits 
are  fully  documented  in  accordance 
with  the  act,  and  that  the  guidance 
defines  authorized  use.  DCAA 
concurred  with  GAO’s 
recommendations. 


View  GAO-15-44.  For  more  information, 
contact  William  T.  Woods  at  (202)  512-4841  or 
woodsw@gao.gov. 


What  GAO  Found 

The  Defense  Contract  Audit  Agency  (DCAA)  revised  its  guidance  in  the  Contract 
Audit  Manual  to  address  the  documentation  requirements  mandated  by  section 
832  of  the  National  Defense  Authorization  Act  (NDAA)  for  Fiscal  Year  2013,  but 
implementation  has  been  inconsistent.  The  revisions  include  provisions  for  DCAA 
auditors  to  document  (1)  that  access  to  company  internal  audit  reports  is 
necessary  to  an  ongoing  DCAA  audit,  (2)  the  request  sent  to  the  company,  and 
(3)  the  company’s  response.  However,  based  on  GAO’s  review  of  selected 
cases,  implementing  the  changes  has  been  inconsistent  across  the  agency.  GAO 
randomly  selected  eight  requests  for  companies’  internal  audits  and  compared 
them  to  the  mandated  requirements  and  DCAA  instructions  provided  to  its 
auditors  as  criteria  to  test  whether  or  not  the  three  documentation  requirements 
had  been  properly  recorded.  None  of  eight  cases  sampled  had  complete  records 
for  the  three  required  documents.  The  figure  below  shows  the  results  of  GAO’s 
examination  of  the  eight  requests. 


Required  Documentation  for  Eight  Randomiy  Seiected  DCAA  Requests  to 
Companies  for  Internai  Audit  Reports 
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Source:  GAO  analysis  of  DCAA  data.  |  GAO-15-44 
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DCAA’s  revised  guidance  is  specific  about  physical  safeguards  for  companies’ 
internal  audit  information.  For  example,  the  Contract  Audit  Manual  contains 
extensive  guidance  for  physically  securing  proprietary  information  and  specifies 
that  the  working  papers  should  not  include  a  copy  of  the  companies’  internal 
audit  reports.  However,  the  guidance  is  less  specific  about  safeguards  to  prevent 
unauthorized  use  of  internal  audit  reports;  that  is,  using  the  reports  for  purposes 
other  than  evaluating  the  efficacy  of  internal  controls  or  the  reliability  of  the 
business  systems.  In  particular,  the  guidance  does  not  define  authorized  use, 
provide  examples  of  authorized  use,  or  identify  a  specific  approach  for 
implementing  safeguards.  Officials  stated  that  plans  for  an  electronic  storage 
system  for  safeguarding  companies’  internal  audits  from  unauthorized  use  are  in 
process  as  well  as  guidance  for  using  them.  The  planned  electronic  storage 
capability  would  provide  limited  access  rights  to  companies’  internal  audit  reports 
and  thus  help  ensure  better  tracking  and  limit  the  potential  for  unauthorized  use. 
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441  G  St.  N.W. 
Washington,  DC  20548 


U.S.  GOVERNMENT  ACCOUNTABILITY  OFFICE 


November  12,  2014 
Congressional  Committees 

The  Defense  Contract  Audit  Agency  (DCAA)  has  a  critical  role  in 
oversight  of  companies  that  provide  billions  of  dollars  of  goods  and 
services  to  the  federal  government.  This  oversight  role  includes 
assessing  the  companies’  overall  internal  controls  as  well  as  those 
controls  that  address  specific  business  systems  such  as  the  accounting, 
estimating,  and  purchasing  systems.  Major  defense  companies  also 
maintain  their  own  internal  audit  departments  to  monitor  policies  and 
procedures  established  by  management  for  the  efficient  operation  of  the 
company  and  to  ensure  the  integrity  of  their  business  systems,  including 
those  essential  to  executing  their  government  contracts.  These  defense 
companies’  internal  audit  organizations  develop  important  information 
about  the  conduct  of  business  operations  and  internal  controls  in  support 
of  government  contracts  as  one  part  of  assessing  the  overall  control 
environment.  Information  contained  in  internal  audit  reports  can  assist 
DCAA  in  setting  appropriate  audit  risk  levels  which,  in  turn,  can  help 
DCAA  auditors  determine  the  appropriate  amount  of  testing  they  will  have 
to  undertake. 

Section  832  of  the  National  Defense  Authorization  Act  (NDAA)  for  Fiscal 
Year  201 3  required  DCAA  to  revise  its  audit  guidance  on  documenting 
requests  for  contractors’  internal  audit  reports  and  on  safeguarding  the 
audit  reports  against  unauthorized  use.''  The  act  also  required  us  to 
evaluate  the  revised  guidance.  We  assessed  (1 )  the  extent  to  which 
DCAA’s  revised  guidance  complied  with  the  act  and  whether  selected 
requests  for  company  internal  audit  reports  were  documented  in 
accordance  with  the  requirements,  and  (2)  the  extent  to  which  DCAA’s 
revised  guidance  contains  safeguards  to  help  ensure  that  internal  audit 
reports  obtained  from  companies  are  used  only  for  authorized  purposes. 

To  address  our  objectives,  we  compared  the  provisions  of  the  act  to 
DCAA’s  revised  audit  guidance  regarding  documentation  and  safeguards. 
We  also  obtained  DCAA  documents  containing  requests  for  companies’ 


^Pub.  L.  No. 1 12-239  §  832.  For  purposes  of  this  report,  except  in  those  situations  where 
we  are  quoting  the  NDAA  for  Fiscal  Year  2013,  we  use  the  term  company  when  referring 
to  contractors. 


Page  1 


GAO-15-44  DCAA  Audit  Guidance 


internal  audits  and  examined  a  random,  nongeneralizable  sample  of  eight 
DCAA  requests  for  companies’  internal  audits  to  determine  if  the  records 
contained  a  written  request  for  the  company  audit  reports,  a  link  between 
the  work  DCAA  was  doing  and  the  content  of  the  company  reports,  and  a 
record  of  the  company’s  response.  We  based  our  evaluation  of  DCAA’s 
documentation  on  standards  for  evidence  and  supervisory  review 
contained  in  generally  accepted  government  auditing  standards 
(GAGAS). 

We  also  interviewed  DCAA  officials  about  implementation  of  the  revised 
guidance  and  the  process  for  compiling  the  documents.  We  concluded 
that  the  data  contained  in  the  requests  submitted  by  the  regions  were 
sufficiently  reliable  for  the  purpose  of  selecting  a  sample.  The  results  of 
our  examination  provide  insights  into  how  the  regions  are  implementing 
the  guidance  but  cannot  be  generalized  across  DCAA’s  requests  for 
internal  audits. 

To  determine  how  DCAA  proposed  to  safeguard  company  internal  audit 
reports,  we  examined  DCAA’s  revised  guidance  and  memorandums 
implementing  the  guidance.  We  discussed  DCAA’s  future  plans  to 
safeguard  company  audits  with  DCAA  officials  and  discussed  company 
perspectives  on  safeguards  with  an  organization  consisting  of  company 
financial  executives.  Appendix  I  has  additional  information  on  our  scope 
and  methodology. 

We  conducted  this  performance  audit  from  April  2014  to  November  2014 
in  accordance  with  generally  accepted  government  auditing  standards. 
Those  standards  require  that  we  plan  and  perform  the  audit  to  obtain 
sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that 
the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 


Background 


Both  DCAA  and  company  internal  auditors  have  responsibility  for 
assessing  the  quality  of  company  internal  controls.  Broadly  speaking, 
internal  controls  refer  to  management  processes  designed  to  provide 
reasonable  assurance  about  a  company’s  ability  to  provide  reliable 
financial  reporting,  promote  effective  and  efficient  operations,  and  comply 
with  applicable  laws,  regulations,  and  contract  provisions.  As  part  of  their 
overall  governance,  many  companies  establish  internal  audit  departments 
to  monitor  adherence  to  management  policies  and  controls,  report 
exceptions  to  policies  and  procedures,  and  track  corrective  actions. 
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In  addition  to  a  company’s  own  internal  audit  department,  companies  that 
provide  goods  and  services  to  the  Department  of  Defense  may  be  audited 
by  DCAA.  As  required  by  the  Federal  Acquisition  Regulation,  DCAA’s 
audits  examine  incurred  costs  and  business  systems  used  in  the 
execution  of  government  contracts.  As  a  part  of  its  audits,  DCAA 
examines  internal  controls  for  those  systems.  DCAA’s  contract  audit 
services  are  intended  to  help  ensure  that  prices  paid  by  the  government 
are  fair  and  reasonable  and  that  companies  are  charging  the  government 
in  accordance  with  applicable  laws,  regulations,  cost  accounting 
standards,  and  contract  terms.  At  the  completion  of  an  audit,  DCAA 
provides  the  contracting  officer  with  a  report  to  assist  in  negotiations  or  in 
assessing  contract  costs,  as  well  as  in  determining  compliance  with 
regulations  and  contractual  requirements. 

DCAA,  which  employs  over  4,000  auditors,  consists  of  a  headquarters 
office  at  Ft.  Belvoir,  Virginia  and  six  major  organizational  components — 
five  regional  offices  across  the  United  States  that  direct  and  administer 
audits  for  assigned  geographical  areas  and  a  field  detachment  office  that 
audits  classified  contracting  activity.  The  six  components  manage  over 
300  field  audit  offices  that  conduct  DCAA’s  work.  Field  audit  offices  can 
be  categorized  as  branch  offices,  resident  offices,  or  suboffices. 

•  Branch  offices  are  located  within  each  region  and  have  responsibility 
for  all  contract  audit  services  within  the  assigned  geographical  area. 

•  Resident  offices  are  established  at  company  locations  where  the  audit 
workload  justifies  assignment  of  a  permanent  staff  of  auditors. 

•  Suboffices  are  established  by  regional  directors  as  extensions  of 
branch  or  resident  offices  when  required  to  furnish  audit  services.  A 
suboffice  depends  on  its  parent  field  office  for  release  of  reports. 

For  larger  companies  with  operations  at  multiple  locations,  DCAA  assigns 
a  Contract  Audit  Coordinator  who  serves  as  a  central  point  of 
communication  between  DCAA  auditors  and  company  representatives. 

DCAA  audits  are  governed  by  GAGAS.  These  standards  require 
evaluation  and  testing  of  a  company’s  overall  internal  controls  including 
the  work  of  the  company’s  internal  audit  activity,  specific  controls,  and 
business  systems.  They  also  require  adherence  to  the  standards  when 
documenting  and  reviewing  audit  work. 

DCAA’s  procedures  for  adhering  to  GAGAS  in  conducting  different  types 
of  audits,  such  as  audits  of  internal  controls  or  company  business 
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systems,  are  contained  in  its  Contract  Audit  Manual.  According  to  the 
audit  manual,  auditors  should  consider  the  company’s  self  governance 
programs  when  assessing  the  adequacy  of  the  internal  controls  to 
determine  the  scope  of  a  DCAA  audit.  Further,  the  audit  manual  states 
that  audits  of  individual  business  systems  are  to  include  an  evaluation  of 
the  internal  control  activities  applicable  to  that  system. 

GAO’S  Prior  Work  on 
Contractor  Internal  Control 
Reports  and  DCAA’s 
Access 

In  a  December  201 1  report,  we  examined  DCAA’s  process  for 
discovering,  requesting,  and  tracking  selected  companies’  internal  audit 
reports.  We  found  that  the  process  varied  among  the  different  DCAA 
offices,  DCAA  requested  few  audit  reports,  and  DCAA  did  not  track  the 
disposition  of  requests  for  the  reports.^  Our  work  showed  that  DCAA  did 
not  always  obtain  these  reports,  either  because  the  companies  declined 
to  provide  them  or  because  DCAA  did  not  request  them.  Further,  DCAA 
did  not  track  company  responses  to  its  requests.  We  recommended  that 
that  DCAA  establish  central  points  of  contact  for  each  company, 
periodically  assess  information  compiled  by  the  central  points  of  contact, 
and  reaffirm  with  staff  through  revisions  to  the  guidance  and  additional 
training  under  what  circumstances  company  internal  audit  reports  could 
be  requested  and  used.  DCAA  generally  concurred  with  our 
recommendations  and  in  August  2012  revised  the  Contract  Audit  Manual 
to  implement  the  recommendations,  issued  memorandums  for  Regional 
Directors,  and  stated  that  they  planned  to  provide  additional  training. 

Recent  Legislation 

Subsequent  to  our  201 1  report,  section  832  of  the  NDAA  for  Fiscal  Year 
2013  required  DCAA  to  revise  its  guidance  on  access  to  defense 
contractor  internal  audit  reports.^  The  act  also  required  DCAA  to 
appropriately  document  requests  for  internal  audit  reports.  The  required 
documentation  should  include,  at  a  minimum,  the  following 
documentation: 

•  Written  determination  that  access  to  contractor  internal  audit  reports  is 
necessary  to  complete  required  evaluations  of  contractor  business 
systems; 

^GAO,  Defense  Contract  Audits:  Actions  Needed  to  Improve  DCAA’s  Access  to  and  Use 
of  Defense  Company  Internal  Audit  Reports,  GAO-12-88  (Washington,  D.C.:  Dec.  8, 

2011). 

¥ub.L  11 2-239  §832  (a). 
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•  A  copy  of  any  request  from  DCAA  to  a  contractor  for  access  to  the 
internal  audit  reports;  and 

•  A  record  of  the  contractor’s  response  to  include  a  reason  or 
justification  if  access  to  the  requested  internal  reports  was  not 
granted. 

In  addition,  the  NDAA  required  that  DCAA  revise  its  guidance  to  include 
safeguards  and  protections  to  ensure  that  the  internal  audit  reports  could 
not  be  used  for  any  purpose  other  than  evaluating  and  testing  the  efficacy 
of  contractor  internal  audit  controls  and  the  reliability  of  associated 
contractor  business  systems.  The  act  also  provided  that  contractor 
internal  audit  reports  could  provide  a  partial  basis  for  determining  that  the 
contractor  has  a  sound  system  of  internal  controls,  which,  in  turn,  could 
provide  a  basis  for  reduced  testing  by  DCAA. 


DCAA  Revised  Its 
Policies  but  Additional 
Attention  Needed  For 
Implementation 


DCAA  revised  policies  and  guidance  to  incorporate  documentation 
requirements  for  requests  for  companies’  internal  audit  reports  as 
mandated  in  section  832  of  the  NDAA.  In  particular,  its  revised  guidance 
establishes  a  process  to  track  auditor’s  requests  and  company  responses 
for  internal  audits  and  requires  its  regional  offices  to  submit  a  semi-annual 
summary  of  all  requests  for  internal  audit  reports  to  be  sent  to 
headquarters  in  June  and  December  of  each  year.  However,  the 
information  contained  in  all  eight  requests  we  reviewed,  which  had  been 
submitted  for  the  December  201 3  semi-annual  report,  included  only 
partial  documentation,  and  there  were  inconsistencies  in  the  timing  for  the 
submission  of  information  for  the  report. 


DCAA  Revised  Its 
Guidance  as  Required  by 
the  NDAA  for  Fiscal  Year 
2013 


DCAA  revised  the  Contract  Audit  Manual  in  April  2013  to  include 
directions  for  auditors  to  document  requests  for  company  internal  audits 
as  required  in  the  NDAA  for  Fiscal  Year  2013.  The  revisions  state  that 
auditors  should  include  documentation  to  show: 

•  how  the  company’s  internal  audit  is  related  to  the  work  DCAA  is 
conducting — that  is,  a  written  explanation  of  how  access  to  such 
reports  is  necessary  to  complete  required  evaluations  of  contractor 
business  systems; 


•  a  copy  of  any  request  from  DCAA  to  a  company  for  access  to  such 
reports;  and 
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•  a  record  of  response  received  from  the  contractor,  including  the 
contractor’s  rationale  or  justification  if  access  to  requested  reports 
was  not  granted. 

In  addition  to  the  NDAA  requirements,  DCAA’s  guidance  requires  that 
auditors  follow  up  on  denials  for  the  reports  and  initiate  denial  of  access 
paperwork  to  inform  DCAA  management  about  such  denials.  DCAA 
disseminated  the  guidance  through  a  Memorandum  for  Regional 
Directors  in  April  2013,  and  included  a  template  for  collecting  information 
for  tracking  and  monitoring  the  access.  Further,  DCAA  provided  training 
for  audit  staff  to  explain  the  new  guidance  and  reporting  requirements. 


R6C|Uir6d  DoCUin6ntation  None  of  the  eight  requests  for  company  internal  audit  reports  we  selected 
Is  Incomplete  for  Selected  ^  random,  nongenerallzable  sample  contained  all  documentation 
Cases  required  by  the  NDAA  provisions  and  DCAA’s  guidance.  All  eight  records 

contained  documentation  of  DCAA’s  request  to  the  company,  but  none 
contained  a  full  statement  of  the  requested  report’s  connection  to  DCAA’s 
work  and  two  did  not  cite  any  connection.  As  an  example,  the 
determination  recorded  in  one  working  paper  was  the  following:  “We 
determined  that  we  should  view  [the  audit  report]  to  support  our 
assessment  of  the  efficacy  of  internal  controls.”  While  the  justification 
states  that  the  internal  audit  report  would  support  DCAA’s  assessment  of 
internal  controls,  it  does  not  identify  which  aspects  of  internal  controls 
were  to  be  particularly  addressed.  That  is,  it  does  not  provide  a  detailed 
explanation  of  how  the  internal  report  was  connected  to  the  ongoing  work 
of  evaluating  internal  controls  or  risk  assessment. 

In  terms  of  documenting  the  companies’  response,  one  request  did  not 
provide  any  record  of  the  company’s  response.  Of  the  seven  requests 
that  contained  some  documentation  of  the  company’s  response,  the 
documentation  recorded  ranged  from  providing  a  copy  of  the  contractor’s 
response  to  recording  only  a  date.  We  note  that  DCAA  auditors  could 
have  additional  information,  such  as  an  email  from  the  company,  which 
would  provide  stronger  evidence  of  the  company’s  response.  The 
documentation  for  three  requests  contained  a  notation  of  the  kind  of 
access  provided  and  a  date.  DCAA  officials  stated  that  recording  a  date 
and  the  type  of  access  granted,  if  a  copy  of  the  report  was  not  provided 
met  their  interpretation  for  providing  a  record  of  the  response,  and  we 
assessed  them  as  documented.  The  request  that  contained  only  a  date 
we  assessed  as  not  documented. 

Figure  1  provides  information  about  the  extent  to  which  the  eight  regional 
submissions  contained  the  required  documentation. 
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Figure  1:  Documentation  for  Eight  Randomiy  Seiected  DCAA  Requests  to 
Companies  for  Internai  Audit  Reports 

National  Defense  Authorization  Act  required  documents 

Internal  audit  Recorded  connection  Request  to  company  Company’s  response 
to  DCAA  audit  for  internal  report  included 
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Documented 


Partially 


documented 


Source;  GAO  analysis  of  DCAA  data.  |  GAO-15-44 


Not  documented 


Four  of  the  requests  we  reviewed  were,  at  first,  denied  by  the  companies; 
three  of  the  denied  requests  contained  the  company’s  response  detailing 
the  company’s  rationale  for  the  denial,  and  one  did  not  have  any 
documentation  of  the  company’s  response.  The  documentation 
requirements  were  not  applied  consistently  for  the  cases  we  reviewed, 
and  without  consistent  application  of  the  documentation  requirements,  the 
reason  for  asking  for  the  audit  and  the  connection  to  DCAA’s  work  is 
unclear.  In  cases  where  the  companies  denied  the  requests, 
documentation  is  essential  for  determining  the  reason  for  the  denial  and 
perhaps  following  up  with  a  stronger  connection  between  DCAA’s  work 
and  the  request  to  the  company. 

DCAA  auditors  we  spoke  with  identified  factors  contributing  to  less  than 
full  documentation  for  the  requests  we  reviewed.  First,  they  said  that  the 
information  they  had  on  the  internal  audit  reports  was  limited  to  only  the 
title  of  the  audit,  and  that  while  the  title  could  provide  some  information,  it 
might  not  contain  enough  information  to  provide  a  strong  link  between 
DCAA’s  work  and  the  requested  audit.  Second,  they  stated  that  the 
instruction  about  documenting  the  connection  between  DCAA’s  work  and 
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the  requested  audit  or  the  benefit  to  DCAA  was  not  clear.  Third,  an  official 
stated  that  the  contents  of  the  documents  were  not  reviewed  for 
completeness.  Finally,  in  the  case  of  documentation  of  the  company’s 
response,  some  officials  stated  that  they  believed  documentation,  such  as 
an  email,  was  needed  only  if  the  request  resulted  in  a  denial  of  access. 

Supervisory  review  of  audit  documentation  is  required  by  GAGAS. The 
incomplete  documents  including  the  complete  lack  of  some  documents 
could  have  been  remedied  if  supervisory  review  by  field  offices  and/or 
contract  audit  coordinators  were  undertaken.  However,  it  is  unclear  to 
what  extent  the  data  provided  by  the  auditors  for  the  semi-annual  reports 
are  consistently  reviewed  by  the  field  offices,  contract  audit  coordinators, 
or  headquarters.  One  regional  official  stated  that  records  were  reviewed 
in  that  region  to  assure  the  completeness  of  the  report,  but  officials  from 
another  region  indicated  that  records  were  only  reviewed  if  the  request  for 
a  contractor  internal  audit  resulted  in  a  denial  of  access.  The  guidance 
simply  states  that  a  connection  between  DCAA’s  work  and  the  requested 
audit  should  be  in  the  request.  The  guidance  does  not  provide  examples 
of  how  a  connection  should  be  stated.  Examples  of  a  well-developed 
connection  in  the  guidance  could  improve  the  documentation. 


Semi-Annual  Report  Could 
Provide  Insight  into 
Company  Responsiveness 
and  the  Benefits  of  Access 


DCAA’s  guidance  states  that  auditors  are  to  provide  the  information  on 
their  requests  for  company  internal  audits  in  a  semi-annual  report  to 
Headquarters.  The  semi-annual  report  tracks  the  number  of  requests  for 
internal  audit  reports  and  the  disposition  of  those  requests  by  the 
companies  over  a  6-month  period.  For  consistency,  the  auditors  use  a 
template  to  compile  the  information. 


The  submissions  used  the  template  provided;  however,  we  found 
inconsistencies  in  the  regions’  approaches  to  the  submissions.  According 
to  DCAA  officials,  each  region  developed  its  own  process  for 
implementing  the  revised  guidance.  For  example: 

•  DCAA’s  guidance  requires  each  region  to  submit  aggregated  data  for 
the  report  by  June  1  and  December  1 .  Since  the  guidance  does  not 
specify  a  cut-off  date  for  field  offices  and  Contract  Audit  Coordinators 
to  submit  reports  to  their  respective  region,  each  region  established  its 
own  reporting  deadlines.  We  found  cut  off  dates  ranging  from  October 
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1 5  to  November  29  for  the  December  1 , 201 3,  report.  Since  DCAA 
headquarters  does  not  adjust  the  reporting  periods  for  each  region  to 
consolidate  the  data,  the  report  may  not  be  a  complete  snapshot  of 
the  requests  and  the  disposition  of  the  requests  for  the  reporting 
period.  Also,  the  timing  inconsistencies  in  data  cut-off  dates  for  the 
semi-annual  reporting  may  make  it  more  difficult  to  establish  a  starting 
date  for  subsequent  reporting  periods  resulting  in  overlapping  data — 
possibly  double  counting  requests  or  not  including  some  requests. 

The  regional  reports  are  aggregated  to  develop  an  agency  wide  report 
on  requests  for  company  internal  audits  and  the  lack  of  a  consistent 
process  limits  DCAA’s  ability  to  compile  complete  data  or  know  about 
the  extent  to  which  they  have  obtained  access  to  contractor  internal 
reports  in  a  given  period. 

•  The  guidance  states  that  auditors  track  requests  to  major  contractors. 
However,  the  number  of  major  contractors  varies  from  reporting 
period  to  reporting  period.  Some  factors  influencing  the  variation 
include  the  following: 


•  to  be  classified  as  a  major  contractor,  companies  must  have  $100 
million  or  more  in  reimbursable  claims  in  the  company’s  fiscal 
year.  Some  companies  do  not  meet  that  threshold  every  year. 

•  DCAA  officials  told  us  that  they  may  not  have  ongoing  work  at  the 
right  stage  for  requesting  internal  audits,  so  a  company  may  not 
be  included  in  a  list  of  major  contractors  for  a  given  period. 

DCAA  officials  explained  that  field  offices  should  include  major 
contractors  in  the  semi-annual  report  if  the  contractor  has  an  internal 
audit  department,  and  there  is  an  ongoing  DCAA  audit.  They  explained 
that  the  agency’s  internal  database  can  be  used  to  identify  major 
contractors.  However,  we  could  not  find  a  consistent  process  employed 
by  regional  offices  to  verify  that  all  major  contractors  where  DCAA  had 
ongoing  work  are  being  tracked  in  the  reports.  While  one  regional  official 
stated  that  the  person  responsible  for  the  regional  report  obtained  a  list  of 
major  contractors  and  ensured  that  all  were  included  in  the  report,  an 
official  from  another  region  indicated  that  the  person  responsible  relied  on 
each  field  office  to  know  which  contractors  fell  under  its  jurisdiction  and 
should  be  included  in  the  report.  Without  identifying  the  universe  of  major 
contractors,  DCAA  may  not  be  able  to  determine  the  percentage  of 
companies  from  whom  it  is  requesting,  receiving,  or  not  receiving  reports. 
Such  information  would  be  useful  in  determining  whether  obtaining 
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companies’  internal  control  audits  is  helpful  to  DCAA  in  assessing  audit 
risk  and  in  streamlining  its  audit  work. 


Guidance  Revisions 
Define  Physical 
Safeguards  for 
Internal  Audit 
Reports,  but  Not  for 
Unauthorized  Use 


In  accordance  with  section  832  of  the  NDAA  for  Fiscal  Year  201 3,  DCAA 
revised  its  contract  audit  guidance  to  include  language  on  safeguarding 
companies’  internal  audit  reports  noting  that  the  act  states  that  the 
safeguards  should  prevent  the  agency  from  using  the  reports  for 
purposes  other  than  evaluating  and  testing  (1)  the  efficacy  of  internal 
controls  and  (2)  the  reliability  of  business  systems.  DCAA’s  revised 
guidance  addresses  physical  safeguards,  but  the  guidance  does  not 
include  a  clear  distinction  between  authorized  and  unauthorized  use  nor 
describe  a  specific  process  to  safeguard  companies’  internal  audit  reports 
from  such  unauthorized  use.  However,  DCAA  has  additional  planning 
underway  to  develop  electronic  safeguards  that  they  believe  will  address 
this  issue. 


Revised  Guidance 
Includes  a  Discussion  of 
Appropriate  Safeguards 


DCAA’s  Contract  Audit  Manual  includes  revised  guidance  that  identifies 
appropriate  physical  safeguards  for  companies’  internal  audit  reports.  The 
revised  guidance,  for  example,  outlines  physical  safeguards  such  as 
identifying  and  protecting  companies’  proprietary  information  as  well  as 
assigning  responsibility  for  safeguarding  companies’  information.  In 
particular,  one  revision  in  DCAA’s  audit  manual  states  that  when 
proprietary  information  is  located  in  a  secure  building,  the  information  can 
be  stored  in  unlocked  containers,  but  if  the  information  is  located  in  an 
unsecured  building,  the  information  should  be  stored  in  locked  containers. 
Additionally,  DCAA’s  revised  guidance  tasks  the  agency’s  auditors  with 
being  responsible  for  protecting  such  information,  including  making  sure 
that  they  do  not  release  proprietary  information  outside  of  appropriate 
channels.  A  central  point  of  contact  is  to  be  responsible  for  safeguarding 
copies  of  the  internal  audit,  providing  the  report  for  use  in  other  audits 
only  when  the  need  arises. 


Revised  Guidance  Does 
Not  Define  Authorized  Use 
or  Prescribe  Safeguards 


Section  832  of  the  NDAA  for  Fiscal  Year  201 3  states  that  the  guidance 
should  include  appropriate  safeguards  and  protections  to  ensure  that  the 
internal  audit  reports  are  not  used  for  purposes  unrelated  to  evaluating 
and  testing  the  efficacy  of  internal  controls  and  the  reliability  of  business 
systems.  Although  DCAA’s  revisions  acknowledge  responsibility  to 
provide  physical  safeguards,  the  guidance  does  not  provide  examples  of 
authorized  use  or  describe  or  define  unauthorized  use. 


When  we  spoke  with  representatives  of  several  companies  about 
safeguards,  they  provided  varying  perspectives  on  authorized  use. 
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According  to  some  company  representatives  that  we  spoke  to, 

“authorized  use”  is  considered  to  be  sharing  an  internal  audit  report 
among  auditors  assigned  to  the  same  company.  Other  representatives 
told  us,  however,  that  they  define  “authorized  use”  as  limited  to  use  within 
a  specific  DCAA  audit  team  on  a  specific  occasion,  and  such  use  does 
not  extend  to  sharing  the  internal  audit  report  with  any  other  audit  team. 
Company  representatives  also  stated  that  they  believed  DCAA  used 
internal  audit  reports  as  a  means  of  identifying  particular  transactions  to 
investigate  further,  a  use  they  believe  is  not  in  accordance  with  the 
language  of  the  NDAA.  In  their  opinion,  an  authorized  use  is  defined  as 
examining  the  reports  only  to  assign  an  appropriate  level  of  risk  to  the 
business  system  under  review.  Without  a  specific  definition  of  authorized 
use,  DCAA  may  not  have  consistent  criteria  to  determine  if  and  when 
circumstances  warrant  sharing  an  audit  report  beyond  the  initial  request. 


DCAA  Has  Initiatives 
Underway  on  Sharing  and 
Storing  Internal  Audit 
Reports 


DCAA  officials  explained  that  the  agency  has  two  procedures  for  those 
cases  where  DCAA  is  able  to  obtain  copies  of  companies’  internal  audit 
reports  or  takes  such  extensive  notes  that  the  report  is  virtually  copied — 
one  manual  and  an  electronic  process  in  development.  First,  DCAA 
officials  said  that  the  agency  has  a  general  process  for  evaluating 
whether  new  DCAA  audit  teams’  requests  for  previously  obtained  reports 
are  justified.  Specifically,  the  officials  told  us  that  DCAA  has  identified  a 
central  point  of  contact  within  each  of  its  six  components  to  maintain 
custody  of,  and  monitor  access  to,  internal  audit  reports  and  will  also 
have  a  backup  in  case  the  designated  contact  is  unavailable.  The  officials 
explained  that  after  the  DCAA  central  point  of  contact  takes  custody  of  a 
copy  of  a  company’s  internal  audit  report,  any  new  DCAA  team  that 
identifies  a  need  for  that  report  will  need  to  present  an  assessment 
demonstrating  the  need  for  the  company’s  internal  audit  for  its  ongoing 
audit  to  the  DCAA  central  point  of  contact.  If  the  central  point  of  contact 
decides  that  the  new  DCAA  team  has  established  a  sufficient  case  for 
examining  the  audit  report,  the  contact  will  grant  access  to  that  audit 
team.  DCAA  officials  told  us  that  if  the  central  point  of  contact  grants 
access,  DCAA  would  not  necessarily  provide  the  company  with  any  type 
of  notification.  Figure  2  provides  a  decision  matrix  showing  the  process 
for  providing  the  audit,  based  on  whether  or  not  the  company  provides  a 
copy  to  DCAA. 
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Figure  2:  Process  for  Controlling  Use  of  Internal  Audit  Reports 


INITIAL  REQUEST 


DCAA  presents  connection  between  an  ongoing  DCAA  audit 
and  a  company’s  internal  audit  report 


Source;  GAO  analysis.  |  GAO-15-44 


Second,  DCAA  officials  also  said  they  are  exploring  an  electronic  storage 
system  to  maintain  copies  of  companies’  internal  audit  reports  and  related 
documentation,  if  provided.  According  to  DCAA  officials,  the  central  point 
of  contact  will  use  the  electronic  storage  system  as  a  method  to 
safeguard  the  internal  audit  reports  by  limiting  auditors’  access  rights  on  a 
need-to-know  basis.  DCAA  officials  told  us  that,  based  on  their  outreach 
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to  a  small  group  of  company  representatives,  they  expect  companies  will 
react  positively  to  the  electronic  storage  system.  One  benefit  provided  by 
the  electronic  system,  according  to  DCAA  officials,  is  that  the  system  is 
expected  to  increase  DCAA’s  ability  to  obtain  copies  of  companies’ 
internal  audit  reports  because  of  the  increased  safeguards. 

However,  company  representatives  we  met  with  told  us  that  they  have 
concerns  with  providing  copies  of  internal  audit  reports  and  ceding  the 
decisions  about  when  DCAA  can  use  them.  The  representatives  said  that 
with  this  shift  in  granting  authorization  to  use  the  reports,  they  are 
concerned  that  DCAA  can  share  the  proprietary  reports  without  their 
specific  consent,  possibly  leading  to  unauthorized  use.  Further,  the 
representatives  told  us  that  such  unrestricted  sharing  would  not  allow  the 
company  to  see  the  context  in  which  the  internal  audits  are  being  used. 
They  also  stated  that  they  have  concerns  about  any  electronic  storage 
system  being  targeted  by  cyber  attacks  in  order  to  gain  access  to 
proprietary  information.  DCAA  officials  stated  they  would  take  these 
concerns  into  account  as  they  develop  the  system. 


Conclusions 


DCAA  has  revised  the  Contract  Audit  Manual  to  require  documentation  of 
information  as  specified  by  section  832  of  the  NDAAfor  Fiscal  Year  201 3 
regarding  requests  for  contractors’  internal  audit  reports.  However,  the 
revisions  to  the  Contract  Audit  Manual  alone  are  not  sufficient  to  assure 
that  sharing  companies’  internal  audit  reports  is  necessary  to  DCAA’s 
work  and  that  DCAA  will  use  the  reports  only  in  order  to  evaluate 
business  systems  or  to  assess  risk  associated  with  a  particular  audit.  In 
order  to  be  convincing,  the  requests  for  internal  audits  should  include  a 
specific  discussion  of  DCAA’s  need  for  the  internal  audit  and  how  it  is 
connected  to  DCAA’s  work.  As  described  in  the  NDAA,  the  internal  audit 
reports  can  be  used  to  provide  a  basis  for  streamlining  DCAA’s  work. 
However,  the  requests  for  the  internal  audits  we  examined  contained  only 
partial  information  about  the  connection  of  the  company’s  internal  audit  to 
DCAA’s  work  and  little,  if  any,  discussion  of  benefits  such  as  reduction  in 
risk  level  or  potential  reduction  to  testing  based  on  a  consideration  of  the 
work  of  company  internal  auditors.  Enhanced  internal  controls,  such  as 
supervisory  review  of  the  required  documentation,  could  assist  in 
assuring  that  the  required  information  is  provided  for  each  request. 

Although  the  revisions  to  the  guidance  echo  the  language  in  the  NDAA, 
they  do  not  provide  a  definition  of  authorized  use.  Demonstrating  that 
DCAA  has  clearly  defined  and  understands  the  elements  of  authorized 
use  is  critical  to  reassure  companies  that  their  internal  audits  will  be  used 
as  a  benefit  to  both  the  companies  and  to  DCAA.  If  DCAA  does  not 
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rigorously  implement  its  revisions,  some  companies  may  be  reluctant  to 
provide  DCAA  with  access  to  their  internal  audit  reports.  And,  without  the 
information  from  these  reports,  DCAA  may  have  limited  insight  into 
companies’  internal  controls  over  its  business  systems  and  may  miss 
opportunities  to  inform  and  streamline  its  audit  plans. 


RpmmmpnHptinn<5  fnr  improve  the  process  for  requesting  company  internal  audit 

reports,  we  recommend  the  Secretary  of  Defense  direct  the  Director, 
Executive  Action  DCAA,  to  take  the  following  two  actions: 

1 .  clarify  the  guidance  in  the  Contract  Audit  Manual  to 

•  further  define,  with  examples,  the  specific  details  that  should  be  in 
the  requests  for  company  internal  audits  including  how  such 
internal  audits  are  specifically  tied  to  DCAA’s  work  and 

•  provide  a  definition  of  authorized  use  and  examples  of  such  use; 
and 

2.  establish  and  monitor  internal  controls  for  a  reporting  cut-off  date, 
identifying  major  contractors,  and  ensuring  information  has  been 
reviewed  for  completeness  and  accuracy. 


Agency  Comments 
and  Our  Evaluation 


We  provided  a  draft  of  this  report  to  the  Department  of  Defense  for  review 
and  comment.  In  its  written  comments,  which  are  reprinted  in  appendix  II, 
the  department  concurred  with  our  recommendations  and  described  the 
actions  it  plans  to  take  by  March  31, 2015.  For  our  recommendation  to 
further  revise  its  guidance  to  define,  with  examples,  the  specific  details 
that  should  be  in  the  requests  for  internal  audits  and  to  provide  a 
definition  of  authorized  use  and  examples  of  such  use,  the  department 
noted  DCAA  had  provided  training  and  guidance,  but  also  noted  that  a 
more  detailed  definition  in  the  Contract  Audit  Manual  and  specific 
examples,  in  a  guidebook  or  as  best  practices,  were  necessary.  For  our 
recommendation  to  establish  and  monitor  internal  controls  for  a  reporting 
cut-off  date,  identifying  major  contractors,  and  ensuring  information  was 
reviewed  for  completeness  and  accuracy,  the  department  stated  that 
DCAA  would  update  the  audit  manual  to  specify  the  cut-off  date  and 
establish  a  process  for  ensuring  that  all  the  major  contractors  that  should 
be  included  are,  in  fact,  included.  Further,  DCAA  agreed  to  update  the 
audit  manual  to  include  procedures  for  ensuring  documentation  is 
complete  for  each  request. 
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DCAA  provided  technical  comments,  which  we  incorporated  in  the  report 
where  appropriate. 


We  are  sending  copies  of  this  report  to  the  appropriate  congressional 
committees,  the  Secretary  of  Defense  and  the  Director,  Defense  Contract 
Audit  Agency,  and  other  interested  parties.  In  addition,  the  report  is 
available  at  no  charge  on  the  GAO  website  at  http://www.gao.gov. 

If  you  or  your  staff  have  any  questions  about  this  report,  please  contact 
me  at  (202)  512-4841  orwoodsw@gao.gov.  Contact  points  for  our 
Offices  of  Congressional  Relations  and  Public  Affairs  may  be  found  on 
the  last  page  of  this  report.  GAO  staff  who  made  key  contributions  to  this 
report  are  listed  in  appendix  III. 


William  T.  Woods 
Director 

Acquisition  and  Sourcing  Management 
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The  Honorable  Carl  Levin 
Chairman 

The  Honorable  James  M.  Inhofe 
Ranking  Member 
Committee  on  Armed  Services 
United  States  Senate 

The  Honorable  Richard  J.  Durbin 
Chairman 

The  Honorable  Thad  Cochran 
Ranking  Member 
Subcommittee  on  Defense 
Committee  on  Appropriations 
United  States  Senate 

The  Honorable  Howard  P.  “Buck”  McKeon 
Chairman 

The  Honorable  Adam  Smith 
Ranking  Member 
Committee  on  Armed  Services 
House  of  Representatives 

The  Honorable  Rodney  Frelinghuysen 
Chairman 

The  Honorable  Pete  Visclosky 
Ranking  Member 
Subcommittee  on  Defense 
Committee  on  Appropriations 
House  of  Representatives 
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Section  832  of  the  National  Defense  Authorization  Act  (NDAA)  for  Fiscal 
Year  2013  required  that  the  Comptroller  General  review  the 
documentation  applicable  to  the  act’s  requirement  that  the  Defense 
Contract  Audit  Agency  (DCAA)  revise  its  audit  guidance  to  include 
directions  for  appropriate  documentation  of  its  requests  to  contractors  for 
their  internal  audit  reports.''  The  revised  guidance  was  also  to  include 
guidance  for  implementing  appropriate  safeguards  for  company  internal 
audits.  We  assessed  (1)  the  extent  to  which  DCAA’s  revised  guidance 
complied  with  the  act  and  whether  selected  requests  for  company  internal 
audit  reports  were  documented  in  accordance  with  the  requirements,  and 
(2)  the  extent  to  which  DCAA’s  revised  guidance  contains  safeguards  to 
help  ensure  that  internal  audit  reports  obtained  from  companies  are  used 
only  for  authorized  purposes. 

To  address  our  objectives,  we  compared  the  provisions  of  the  act  to  the 
revised  audit  guidance  to  determine  whether  the  revisions  included 
directions  for  documenting  requests  for  company  internal  audits,  the 
connections  to  DCAA’s  work  and  the  company’s  responses  and 
safeguards  for  the  internal  audits.  We  obtained  DCAA  submissions  to 
headquarters  for  163  requests  with  embedded  documents.  The 
documents  included  the  requests,  any  response  from  the  company,  and 
the  written  connection  between  the  requested  audit  and  DCAA’s  ongoing 
work.  We  interviewed  officials  about  the  process  for  compiling  the 
documents  and  examined  DCAA’s  implementing  guidance.  We  concluded 
that  the  data  were  sufficiently  reliable  for  the  purpose  of  selecting  a 
sample  and  determining  whether  the  requests  contained  the  required 
information  in  accordance  with  our  objectives.  We  selected  a 
nongeneralizable,  random  sample  of  8  DCAA  requests  from  the  163 
requests  DCAA  sent  to  companies  between  June  1, 2013,  and  December 
1 , 2013,  to  examine  in  detail.  We  compared  the  documents  provided  with 
each  request  to  both  the  NDAA  requirements  and  DCAA’s  guidance  to 
determine  if  the  records  contained  (1)  a  written  request  for  the  company 
audit  reports,  (2)  a  link  between  the  work  DCAA  was  doing  and  the 
company  report  requested  and  (3)  the  company  response.  We 
interviewed  DCAA  officials  about  changes  to  the  Contract  Audit  Manual, 
memorandums  amplifying  the  requirements  in  the  NDAA,  training 
provided  to  auditors,  and  any  management  reviews  to  ensure  the 
guidance  was  executed  according  to  DCAA  policy.  We  based  our 


Vub.  L  No.  112-239  §  832. 
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evaluation  of  DCAA’s  documentation  on  standards  for  documentation  and 
supervisory  review  contained  in  generally  accepted  government  auditing 
standards  (GAGAS). 

We  believe  the  information  we  collected  was  sufficiently  reliable  to 
provide  a  reasonable  basis  for  our  analysis. 

To  evaluate  the  extent  to  which  DCAA  officials  are  monitoring  the 
execution  of  the  guidance,  we  obtained  management  reports  for  two  of 
the  semi-annual  periods,  January  to  June,  2013,  and  June  to  December, 
2013.  We  compared  the  guidance  in  the  templates  provided  for  reporting 
information  about  company  requests  with  the  information  contained  in  the 
spreadsheets  prepared  for  the  reports.  Our  analysis  included  checking 
that  the  request  to  the  company  was  included  in  the  documentation;  that 
the  request  contained  a  clear  connection  between  DCAA’s  work  and  the 
audit  and  that  it  included  how  obtaining  the  audit  would  benefit  DCAA’s 
work;  we  examined  the  documentation  for  evidence  of  a  company 
response  and  for  the  rationale  for  denying  the  request,  if  a  request  was 
denied  by  the  company.  We  determined  that  the  electronic  documentation 
was  reliable  for  the  information  we  sought.  We  contacted  DCAA  auditors 
in  cases  where  documentation  appeared  lacking  to  determine  their 
understanding  of  the  documentation  required.  The  results  of  our 
examination  provide  insights  into  how  the  regions  implement  the 
guidance  but  cannot  be  generalized  across  DCAA’s  requests  for  internal 
audits. 

To  determine  DCAA  response  to  providing  safeguards  for  company 
internal  audit  reports,  we  compared  DCAA’s  revised  guidance  to  the 
NDAA  for  Fiscal  Year  2013  requirements.  We  obtained  memorandums 
implementing  the  guidance  and  compared  it  to  the  guidance  in  the 
Contract  Audit  Manual.  We  discussed  DCAA’s  response  to  the  NDAA 
requirements  for  safeguarding  company  audits  with  DCAA  officials.  We 
also  discussed  DCAA’s  plans  to  take  additional  steps  to  safeguard 
company  audits  and  discussed  the  timing  of  those  plans.  T o  obtain  the 
perspective  of  companies  who  have  been  asked  or  may  be  asked  to 
provide  internal  audit  reports,  we  met  with  representatives  of  the 
Committee  on  Government  Business  of  Financial  Executives  International 
organization  and  discussed  company  perspectives  on  safeguards  and  the 
definition  of  authorized  use. 

We  conducted  this  performance  audit  from  April  2014  to  November  2014 
in  accordance  with  generally  accepted  government  auditing  standards. 
Those  standards  require  that  we  plan  and  perform  the  audit  to  obtain 
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sufficient,  appropriate  evidence  to  provide  a  reasonable  basis  for  our 
findings  and  conclusions  based  on  our  audit  objectives.  We  believe  that 
the  evidence  obtained  provides  a  reasonable  basis  for  our  findings  and 
conclusions  based  on  our  audit  objectives. 
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DEFENSE  CONTRACT  AUDIT  AGENCY 
DEPARTMENT  OF  DEFENSE 

8725  JOHN  J.  KINGMAN  ROAD.  SUITE  2135 
FORT  BELVOIR,  VA  22060-6219 


OFFICE  OF  THE  DIRECTOR 

November  3,  2014 

Mr.  William  T.  Woods 

Director,  Acquisition  and  Sourcing  Management 
U.S.  Government  Accountability  Office 
441  G  Street  NW,  Washington  DC  20548 

Dear  Mr.  Woods: 

This  is  the  Department  of  Defense  (DoD)  response  to  the  GAO  Draft  Report,  GAO-15- 
44,  DEFENSE  CONTRACT  AUDIT  AGENCY :  Additional  Guidance  Needed  Regarding 
DCAA’s  Use  of  Companies’  Internal  Audit  Reports,  dated  October  3,  2014  (GAO  Code 
121182). 

Thank  you  for  the  opportunity  to  respond  to  the  subject  draft  report.  Our  response  to  the 
draft  report  recommendations  are  shown  below: 

RECOMMENDATION  1 :  The  GAO  recommends  that  the  Secretary  of  Defense  direct  the 
Direetor,  DCAA,  to  clarify  the  guidanee  in  the  Contract  Audit  Manual  to: 

•  Further  define,  with  examples,  the  specific  details  that  should  be  in  the  requests  for 
internal  audits  including  how  such  internal  audits  are  speeifically  tied  to  DCAA’s  work, 
and 

•  Provide  a  definition  of  authorized  use  and  examples  of  such  use. 

DoD  RESPONSE:  Concur. 

DCAA  guidance  and  training  pertaining  to  accessing  internal  audits  discussed  the  need  for 
providing  a  nexus  to  an  ongoing  audit  when  requesting  aceess  to  internal  audits.  However,  based 
on  the  findings  in  this  report,  it  is  clear  that  a  more  detailed  definition,  including  examples  with 
the  specific  details  that  should  be  in  the  requests,  is  necessary  to  ensure  the  field  auditors  are 
clear  on  what  information  should  be  in  the  request.  Additionally,  DCAA  designated  points  of 
contact  at  each  FAO  are  responsible  for  safeguarding  the  contractor’s  internal  audit  reports,  and 
for  determining  whether  future  auditors  should  gain  access  to  an  internal  audit  report,  based  on  a 
nexus  to  their  ongoing  audit.  However,  DCAA  did  not  specifically  define  authorized  and 
unauthorized  use,  or  give  specifie  examples  of  such  use. 

DCAA  will  review  the  Contract  Audit  Manual  guidance  and  provide  definitions  that  are  more 
detailed.  Additionally,  DCAA  will  provide  examples,  either  in  a  guidebook  or  as  a  best  practice, 
to  assist  auditors  in  writing  requests  for  internal  audits  that  contain  well-developed  connections 
between  the  internal  audit  report  and  the  ongoing  audit,  and  to  assist  them  in  determining  what  is 
considered  authorized  use.  DCAA  will  complete  these  aetions  by  March  31, 2015. 


Page  20 


GAO-15-44  DCAA  Audit  Guidance 


Appendix  II:  Comments  from  the  Department 
of  Defense 


RECOMMENDATION  2:  The  GAO  recommends  that  the  Secretary  of  Defense  direct  the 
Director,  DCAA,  to  establish  and  monitor  internal  controls  for  a  reporting  cut-off  date, 
identifying  major  contractors,  and  ensuring  information  has  been  reviewed  for  completeness  and 
accuracy. 

DoD  RESPONSE:  Concur. 

DCAA  agrees  that  the  guidance  is  not  clear  on  the  reporting  cut-off  date.  The  guidance  states 
that  the  data  must  be  submitted  to  Headquarters  semiannually  by  June  1  and  December  1,  but  the 
date  for  cutting  off  the  data  for  submission  is  not  clear,  and  appears  to  be  inconsistent  across  the 
Regions.  DCAA  will  update  the  Contract  Audit  Manual  guidance  to  include  specific  cut  off 
dates  to  ensure  the  consolidated  data  is  consistent  and  complete. 

DCAA  also  agrees  that  a  consistent  process  should  be  established  for  ensuring  the  report  is 
complete  with  all  relevant  major  contractors  included.  DCAA  currently  has  no  formal 
procedures  in  the  guidance  to  ensure  steps  are  taken  to  determine  if  the  report  is  complete 
includes  all  of  the  major  contractors  it  should).  DCAA  will  update  the  guidance  to  include 
procedures  for  ensuring  all  relevant  major  contractors  are  included  in  the  report,  and  will  provide 
the  field  a  tool  to  use  to  ensure  these  procedures  are  documented  and  consistent  across  the 
Agency. 

DCAA  also  agrees  that  there  are  no  formal  procedures  for  ensuring  that  the  documentation 
requirements  are  reviewed  for  completeness  and  accuracy.  In  addition  to  the  actions  above  to 
provide  examples  to  assist  auditors  in  writing  requests  for  internal  audits  that  contain  well- 
developed  connections  between  the  internal  audit  report  and  the  ongoing  audit,  DCAA  will  also 
update  the  guidance  to  include  procedures  for  ensuring  all  required  documentation  exists  for 
each  item  reported. 

DCAA  will  complete  all  actions  in  response  to  this  recommendation  by  March  31,  2015. 

Questions  regarding  this  letter  should  be  directed  to  Mr.  Joe  Garcia,  Executive  Officer,  at 
(703)  767-3265  or  e-mailjoe.garcia@dcaa.mil. 


Anita  F.  Bales 
Director 
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William  T.  Woods,  (202)  512-4841  orwoodsw@gao.gov 
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In  addition  to  the  contact  named  above,  Penny  Berrier,  Assistant  Director, 
Marycella  Cortes,  Jessica  Drucker,  Danielle  Greene,  John  Krump,  Jean 
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GAO’S  Mission 

The  Government  Accountability  Office,  the  audit,  evaluation,  and 
investigative  arm  of  Congress,  exists  to  support  Congress  in  meeting  its 
constitutional  responsibilities  and  to  help  improve  the  performance  and 
accountability  of  the  federal  government  for  the  American  people.  GAO 
examines  the  use  of  public  funds;  evaluates  federal  programs  and 
policies;  and  provides  analyses,  recommendations,  and  other  assistance 
to  help  Congress  make  informed  oversight,  policy,  and  funding  decisions. 
GAO’s  commitment  to  good  government  is  reflected  in  its  core  values  of 
accountability,  integrity,  and  reliability. 

Obtaining  Copies  of 
GAO  Reports  and 
Testimony 

The  fastest  and  easiest  way  to  obtain  copies  of  GAO  documents  at  no 
cost  is  through  GAO’s  website  (http://www.gao.gov).  Each  weekday 
afternoon,  GAO  posts  on  its  website  newly  released  reports,  testimony, 
and  correspondence.  To  have  GAO  e-mail  you  a  list  of  newly  posted 
products,  go  to  http://www.gao.gov  and  select  “E-mail  Updates.” 

Order  by  Phone 

The  price  of  each  GAO  publication  reflects  GAO’s  actual  cost  of 
production  and  distribution  and  depends  on  the  number  of  pages  in  the 
publication  and  whether  the  publication  is  printed  in  color  or  black  and 
white.  Pricing  and  ordering  information  is  posted  on  GAO’s  website, 
http://www.gao.gov/ordering.htm. 

Place  orders  by  calling  (202)  512-6000,  toll  free  (866)  801-7077,  or 

TDD  (202)512-2537. 

Orders  may  be  paid  for  using  American  Express,  Discover  Card, 
MasterCard,  Visa,  check,  or  money  order.  Call  for  additional  information. 

Connect  with  GAO 

Connect  with  GAO  on  Facebook,  Flickr,  Twitter,  and  YouTube. 

Subscribe  to  our  RSS  Feeds  or  E-mail  Updates.  Listen  to  our  Podcasts. 
Visit  GAO  on  the  web  at  www.gao.gov. 

To  Report  Fraud, 
Waste,  and  Abuse  in 
Federal  Programs 

Contact: 

Website:  http://www.gao.gov/fraudnet/fraudnet.htm 

E-mail:  fraudnet@gao.gov 

Automated  answering  system:  (800)  424-5454  or  (202)  512-7470 

Congressional 

Relations 

Katherine  Siggerud,  Managing  Director,  siggerudk@gao.gov,  (202)  512- 
4400,  U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room 
7125,  Washington,  DC  20548 

Public  Affairs 

Chuck  Young,  Managing  Director,  youngc1@gao.gov,  (202)  512-4800 

U.S.  Government  Accountability  Office,  441  G  Street  NW,  Room  7149 
Washington,  DC  20548 
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